Application pool identity

If a web application runs under an Application pool, does that mean that the application is impersonated as the Iaccount specified in the Identity tab of the application pool? If impersonation does in fact - exist at the application pool level, I presume that setting the Impersonation values in the web.config file will take presedence and the application would operate under the account specified in the Web.config file rather than the App Pool Identity account.

From http://developmentnow.com/g/91_0_0_0_0_0/inetserver-iis-secu rity.htm

Posted via DevelopmentNow.com Groups
http://www.developmentnow.com

Re: Application pool identity

I think you need to get a little more clear on what impersonation is,
namely that an execution context assumes a different identity for at
time (life of thead, etc.) and during this time it is possible to access
the original context (revert to self).
App pools spin up as the app pool identity (i.e. not impersonate it).
When web.config specs to use impersonation, that means for example
if the web is not allowing anonymous access then the app pool will
impersonate the identity that authenticated to the web session.
Now, as to "the account specified in the web.config" you probably
need to be more clear about what specification you are meaning.
I am unclear whether you are thinking of an app config section,
whose use would be application behavior dependent, or whether
you are thinking of the statements of the allowed authenticators.



"Grant_S" wrote in message
news:cc4d417b-055a-4f0a-8405-e574424967df@developmentnow.com ...
> If a web application runs under an Application pool, does that mean that
> the application is impersonated as the Iaccount specified in the Identity
> tab of the application pool? If impersonation does in fact - exist at the
> application pool level, I presume that setting the Impersonation values in
> the web.config file will take presedence and the application would operate
> under the account specified in the Web.config file rather than the App
> Pool Identity account.
>
> From http://developmentnow.com/g/91_0_0_0_0_0/inetserver-iis-secu rity.htm
>
> Posted via DevelopmentNow.com Groups
> http://www.developmentnow.com

RE: Application pool identity

Roger, Thanks for your valuable help. Sorry about the delay in reply - I was call to another project and had to leave this. Yes! I agree, I might not be quite clear on how it all functions yet - as my solution is not working. Below, I have tried to clarify what I need to achieve, and my current undestanding. There appears to be an IIS / Kerberos bug outlined by Microsoft which might be what is causing me grief (if my understanding is , in fact, correct)

I am trying to implement several web applications running under one application pool which uses a domain account for its identity - on a Win 2k3 server. I want IIS configured for only Windows authenitaction for these applications. I then need to have each application, impersonating by using a different account (some will be domain accounts; some will be local accounts). For this I am using the impersonation tag in the web.config file of each web app. The credentials for these accounts are encrypted and stored in the registry using the aspnet tool provided by Microsoft.

My understanding is that IIS should 'transparently' authenticate domain users for each sessions. Then each web app operates (thread runs) as the account specified in the web.config file to access any resouces (and access databases - say - using trusted connection). If I am correct, you are saying that due to the web.config impersonations, the app pool identy will be over-ridden and will also run under the context of the impersonation account specified in the web.config file - for each session for each web app?

As far as NTFS security goes then, I would need to add the impersonating accounts to the IIS_WPG work group and also specify permissons at the root level of root of each application (or give IIS_WPG read;write;execute permissions for each web app root foler & sub folders) .

I should then restrict or permit access to the website for the windows accounts via the 'allowing' and 'denying' users and roles as required via the Authorozation tag in the web.config files of each web app.

Further, to make any calls to web service web methods on Web servers in the domain, I would need actively set credentials with the Web Method call (NetworkCredentials). For this, I could establish the user credentials (=the impersonated account) or use some other credentials - depending on the need.

If my understanding is correct (and my solution is not working), then I might be having some problems relating to the MSDN article (http://support.microsoft.com/default.aspx?scid=kb;en-us;871 179) - because I only seem to be able to run the web applications with Annonymous selected (in addition to windows authenticatioin) - in IIS. I have also followed the article on.

Hopefully you can spot any flaws in my understanding so that I can head in the right direction to get this sorted.

Thanks

Grant_S

From http://developmentnow.com/g/91_2007_2_0_0_936661/Application -pool-identity.htm

Posted via DevelopmentNow.com Groups
http://www.developmentnow.com